ghsa-rr3g-h623-26gf
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix linkwatch use-after-free on disconnect
usbnet uses the work usbnet_deferred_kevent() to perform tasks which may sleep. On disconnect, completion of the work was originally awaited in ->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":
https://git.kernel.org/tglx/history/c/0f138bbfd83c
The change was made because back then, the kernel's workqueue implementation did not allow waiting for a single work. One had to wait for completion of all work by calling flush_scheduled_work(), and that could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex held in ->ndo_stop().
The commit solved one problem but created another: It causes a use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c, ax88179_178a.c, ch9200.c and smsc75xx.c:
- If the drivers receive a link change interrupt immediately before disconnect, they raise EVENT_LINK_RESET in their (non-sleepable) ->status() callback and schedule usbnet_deferred_kevent().
- usbnet_deferred_kevent() invokes the driver's ->link_reset() callback, which calls netif_carrier_{on,off}().
- That in turn schedules the work linkwatch_event().
Because usbnet_deferred_kevent() is awaited after unregister_netdev(), netif_carrier_{on,off}() may operate on an unregistered netdev and linkwatch_event() may run after free_netdev(), causing a use-after-free.
In 2010, usbnet was changed to only wait for a single instance of usbnet_deferred_kevent() instead of all work by commit 23f333a2bfaf ("drivers/net: don't use flush_scheduled_work()").
Unfortunately the commit neglected to move the wait back to ->ndo_stop(). Rectify that omission at long last.
{
"affected": [],
"aliases": [
"CVE-2022-50220"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:52Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix linkwatch use-after-free on disconnect\n\nusbnet uses the work usbnet_deferred_kevent() to perform tasks which may\nsleep. On disconnect, completion of the work was originally awaited in\n-\u003endo_stop(). But in 2003, that was moved to -\u003edisconnect() by historic\ncommit \"[PATCH] USB: usbnet, prevent exotic rtnl deadlock\":\n\n https://git.kernel.org/tglx/history/c/0f138bbfd83c\n\nThe change was made because back then, the kernel\u0027s workqueue\nimplementation did not allow waiting for a single work. One had to wait\nfor completion of *all* work by calling flush_scheduled_work(), and that\ncould deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex\nheld in -\u003endo_stop().\n\nThe commit solved one problem but created another: It causes a\nuse-after-free in USB Ethernet drivers aqc111.c, asix_devices.c,\nax88179_178a.c, ch9200.c and smsc75xx.c:\n\n* If the drivers receive a link change interrupt immediately before\n disconnect, they raise EVENT_LINK_RESET in their (non-sleepable)\n -\u003estatus() callback and schedule usbnet_deferred_kevent().\n* usbnet_deferred_kevent() invokes the driver\u0027s -\u003elink_reset() callback,\n which calls netif_carrier_{on,off}().\n* That in turn schedules the work linkwatch_event().\n\nBecause usbnet_deferred_kevent() is awaited after unregister_netdev(),\nnetif_carrier_{on,off}() may operate on an unregistered netdev and\nlinkwatch_event() may run after free_netdev(), causing a use-after-free.\n\nIn 2010, usbnet was changed to only wait for a single instance of\nusbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf\n(\"drivers/net: don\u0027t use flush_scheduled_work()\").\n\nUnfortunately the commit neglected to move the wait back to\n-\u003endo_stop(). Rectify that omission at long last.",
"id": "GHSA-rr3g-h623-26gf",
"modified": "2025-11-19T15:31:31Z",
"published": "2025-06-18T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50220"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/135199a2edd459d2b123144efcd7f9bcd95128e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/635fd8953e4309b54ca6a81bed1d4a87668694f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f77dcbc030c2faa6d8e8a594985eeb34018409e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b4588b8b00b299be16a35be67b331d8fdba03f3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a69e617e533edddf3fa3123149900f36e0a6dc74"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d2d6b530d89b0a912148018027386aa049f0a309"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db3b738ae5f726204876f4303c49cfdf4311403f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e2a521a7dcc463c5017b4426ca0804e151faeff7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.